Several flaws have been reported in Apache Web Server that could allow hackers to take unauthorized control over it. The vulnerabilities could allow an attacker to execute unauthorized control over the servers and in some cases also allows to crash and cause a denial of service.
The vulnerabilities can be traced as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993 and have been founded by Felix Wilhelm of Google Project Zero.
One of the vulnerability tracked as CVE-2020-11984 could lead to remote code execution that was present due to a buffer overflow condition in “mod_uwsgi” allowing an attacker to view, change, or delete sensitive data from the server.
Other flaw tracked as CVE-2020-11993 that was present in the HTTP/2 module causing logging statements made the wrong connection, causing concurrent use of memory pools.
Another flaw that was tracked as CVE-2020-9490 was a specially crafted ‘Cache-Digest’ header‘ that resides in the HTTP/2 that results in a crash and denial of service when the server actually tries to HTTP/2 PUSH a resource afterward.
When a specially crafted value for the ‘Cache-Digest’ header in an HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterward. Configuring the HTTP/2 feature via “H2Push off” will mitigate this vulnerability for unpatched servers.
After finding the vulnerability security team has immediately reported the flaw and the Apache team has successfully issued the security patch on 7th August 2020.
However, there are no such reports that these vulnerabilities have been exploited in the wild and the necessary patches have been sent to the vulnerable systems.